Just before the July 4th holiday, the California Superior Court in Sacramento gave businesses struggling to comply with the California Privacy Rights Act (“CPRA”) a small gift by delaying enforcement of the CPRA’s regulations until March of 2024 at the earliest. While helpful in some respects, discussed below, the ruling does not expressly prohibit the California Privacy Protection Agency (“Agency”) from enforcing the underlying text of the CPRA where implementing regulations are not required. Ashkan Soltani, the executive director of the Agency, has been quoted as stating that “significant portions” of the law can still be enforced immediately. 

In short, businesses should not assume the Agency will remain idle. CPRA compliance remains a priority, though the Agency has indicated that enforcement is likely to proceed slowly at first—given staffing shortages at the Agency—with an initial emphasis on voluntary compliance. Further clarity on the Agency’s enforcement plans may be forthcoming on July 14, when the Agency is scheduled to hold a board meeting featuring Michael Macko, the Agency’s Deputy Director of Enforcement, who will provide an update on the Agency’s enforcement priorities.

A Delay in Regulatory Enforcement

The CPRA, which went into operation earlier this year but was not enforceable until July 1, amends and expands upon the 2018 California Consumer Privacy Act (“CCPA”) by setting fresh standards for the collection, retention, and usage of personal information. Among other things, the law establishes the Agency, a first-in-the-nation agency focused exclusively on data privacy regulation and enforcement. The Agency is charged with drafting regulations to “further the purposes” of the CPRA, including in specified areas like the rights to limit the use of sensitive personal information and correct inaccurate personal information.

The deadline for final CPRA regulations was set for July 1, 2022, but the Agency was unable to meet that timeline. Instead, the Agency adopted regulations covering 12 of the 15 areas for which regulations were required on March 29, 2023 (the “March Regulations”), three months before CPRA enforcement was set to begin. Notably absent from the March Regulations were rules around cybersecurity audits, risk assessments, and automated decision-making technology: three topic areas for which future regulations are required.

One day after the March Regulations were adopted, the California Chamber of Commerce filed suit, arguing that the Agency was required to implement regulations by July 1, 2022, and that its failure to do so meant that the Agency should not enforce those rules until one year after adoption of the final regulations. Judge James P. Arguelles of the Superior Court of California agreed in most respects, finding that there must be a one-year gap between the implementation of regulations and their enforcement.

The court, however, declined to adopt the Chamber’s position that the Agency must refrain from all enforcement prior to the adoption of the complete set of required CPRA regulations. The court stated that it “agrees with the Agency that delaying the Agency’s ability to enforce any violation of the Act for 12 months after the last regulation in a single area has been implemented would … thwart the voters’ intent to protect the privacy of Californians.” The Court stayed enforcement of the Agency’s final regulations until March 29, 2024, and other regulations it may issue—including regulations regarding cybersecurity audits, risk assessments, and automated decision-making—until one year from their adoption but did not take a position on the enforceability of the underlying statute.

There remains some uncertainty, however, regarding the ruling’s impact on other statutory terms.  Because the ruling did not expressly apply to the statute itself, but only to the Agency’s regulations issued under Section 1798.185(d), the Agency appears to argue that the CPRA’s statutory terms themselves are self-implementing and enforceable. At the same time, many of those potentially “self-implementing” requirements could still be impacted by required regulations in important respects, and the failure to give businesses adequate time to address those regulations could lead to unfairness. Section 1798.121(a), for example, grants California residents the right to limit use and disclosure of sensitive personal information but also permits businesses to continue to use such information for purposes authorized by CPRA regulations. Those purposes were addressed in the March Regulations, but businesses have not yet had a year to conform their practices to ensure compliance. At the same time, without these regulations in place, statutory requirements governing the use of sensitive personal information would be overbroad. It remains unresolved how the court’s ruling will apply in such circumstances, and it is possible that the court’s ruling may prove to be broader than it at first seems.

Practical Implications of the Delay

Even if the CPRA itself remains enforceable, the delay will impact some of the more technical requirements included in the March Regulations, which are not otherwise addressed in the statutory text of the CPRA.  Examples include required terms within a business’ website privacy notice and procedures for responding to data subject requests. Because these requirements do not appear in the statute itself, they will not be enforceable in the near term.

Other requirements addressed in the March Regulations, like their lengthy rules around browser-enabled opt-out preference signals, dark patterns, and consumer expectations, may be unenforceable in the short term, although the Agency could take the position that those requirements are implied by the statutory text and do not require regulations to become enforceable.

Still, the delay does not grant businesses a free pass. Businesses are well-advised to press forward implementing any remaining items of their CPRA checklists even though the ruling grants extra time to sort out some technical details. Many aspects of the CPRA, such as its requirements around opting out of the sharing of personal information for cross-contextual behavioral advertising, putting in place contracts with service providers, and limiting processing of personal information to purposes that are disclosed in a privacy notice or otherwise compatible with the context in which it was collected, could likely be enforced. The Agency may press forward even where there is ambiguity around the scope of its authority.

Additionally, California regulators have already used their powers under CCPA as it existed prior to the CPRA amendments to compel companies to change their privacy practices. Regulators will likely continue to use their existing authority to pressure businesses around practices such as the disclosure of personal information through online tracking technologies. Likewise, the court’s stay does not impact the applicability of the law to employee and business contact data that had been subject to exceptions from some CCPA requirements prior to January 1, 2023. Businesses will need to ensure that their employees receive privacy notices that fully disclose their data rights and that they have processes in place to respond to data subject requests, such as requests for personal information collected and requests to delete personal information. Ropes & Gray will continue to track developments in this area.